keycloak service: allow to set empty frontend URL

This together with extraConfig:

{
  "subsystem=undertow"."server=default-server"."http-listener=default"."proxy-address-forwarding" = true;
  "subsystem=undertow"."server=default-server"."https-listener=https"."proxy-address-forwarding" = true;
}

Allows to run Keycloak behind a reverse proxy that provides
X-Forwarded-* headers.

nixos/modules/services/web-apps/keycloak.nix

@@ -55,7 +55,11 @@ in
 
     frontendUrl = lib.mkOption {
       type = lib.types.str;
-      apply = x: if lib.hasSuffix "/" x then x else x + "/";
+      apply = x:
+        if x == "" || lib.hasSuffix "/" x then
+          x
+        else
+          x + "/";
       example = "keycloak.example.com/auth";
       description = ''
         The public URL used as base for all frontend requests. Should

nixos/modules/services/web-apps/keycloak.xml

@@ -85,7 +85,12 @@
        The frontend URL is used as base for all frontend requests and
        must be configured through <xref linkend="opt-services.keycloak.frontendUrl" />.
        It should normally include a trailing <literal>/auth</literal>
-       (the default web context).
+       (the default web context). If you use a reverse proxy, you need
+       to set this option to <literal>""</literal>, so that frontend URL
+       is derived from HTTP headers. <literal>X-Forwarded-*</literal> headers
+       support also should be enabled, using <link
+       xlink:href="https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses">
+       respective guidelines</link>.
      </para>
 
      <para>